Have fun setting up OpenVPN tray icon, sucker



  • Let the Linux Hate Month continue!

    [Imaginary noob friend who just moved to linux]: Mister, mister, I just installed Debian XFCE and need to connect to multiple openvpn networks my company hosts. How do I get the little widget I had on my Mac and Windows that allows me to do that?

    [Wise cartman, linux master in making]: That's easy, my unenlightened simpleton friend. All you need to do is...

    • Try the official network manager widget
    • It doesn't work
    • <google, google>
    • It works, but only allows one connection at a time
    • <google, google>
    • There's no way to fix that
    • Google for a "xfce openvpn client multiple connections"
    • Realize gopenvpn is the only solution
    • Realize it was last updated 3 years ago and there is no suitable binary distribution (luckily it wasn't hosted on google code!)
    • Sigh. Well, there are build instructions on the page, so *shrugs*
    $ sudo apt-get install libglib2.0-dev libgtk2.0-dev libglade2-dev libgnome-keyring-dev gedit polkit
    

    E: Unable to locate package polkit

    • <google, google, apt-get tab tab tab>
    $ sudo apt-get install libpolkit-agent-1-dev 
    
    • Hopefully, the rest of instructions will be easier
    $ cd ~/install
    $ git clone git://gopenvpn.git.sourceforge.net/gitroot/gopenvpn/gopenvpn.git
    $ cd gopenvpn
    $ ./autogen.sh
    bash: ./autogen.sh: No such file or directory
    
    • Okaay... <google, google, cat INSTALL, cat README>
    1. Build it

    $ cd gopenvpn
    > $ autoreconf -vi
    $ ./configure
    $ make

    • So... they changed the install instructions in the repo. Nice of them to keep the outdated instructions around on their site.
    $ autoreconf -vi
    
    autoreconf: Entering directory `.'
    autoreconf: running: autopoint
    autoreconf: running: aclocal -I m4
    autoreconf: configure.ac: tracing
    autoreconf: configure.ac: not using Libtool
    autoreconf: running: /usr/bin/autoconf
    autoreconf: running: /usr/bin/autoheader
    autoreconf: running: automake --add-missing --copy --no-force
    automake: warnings are treated as errors
    configure.ac:25: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged.
    configure.ac:25: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead,
    configure.ac:25: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files.
    autoreconf: automake failed with exit status: 1
    
    • So, they treat some warnings as errors? Very useful to leave that for ordinary people who just want to use your stuff and don't care about your development environment.
    • <google, google>
    • Read wrong forum post and try the fix for outdated version
    • Try all combinations of -W none -Wnone
    • Try ERRORS=none ./autoreconf -vi
    • Try automake --add-missing --copy --no-force -Wnone
    • <google, google>
    • Learn more about C programming, make, automake and other crap you vaguely remember and don't care about
    • subl configure.ac
    ...
    AC_PREREQ([2.59])
    AC_INIT([gopenvpn], [0.7], [gopenvpn-users@lists.sourceforge.net])
    AC_CONFIG_AUX_DIR([.])
    AM_INIT_AUTOMAKE([foreign -Wall -Werror])
    AM_GNU_GETTEXT_VERSION([0.18.1])
    AM_GNU_GETTEXT([external])
    ...
    
    • Change AM_INIT_AUTOMAKE([foreign -Wall -Werror]) to AM_INIT_AUTOMAKE([foreign -Wnone])
    $ autoreconf -vi
    $ ./configure 
    $ make
    $ sudo make install
    
    • YES! Now just to finish things up...
    • Copy openvpn config files to /etc/openvpn
    • Fix permissions
    • Hmm, ok, so how do I create an application launcher within my other applications, so it's visible to the entire system?
    • <google, google>
    $ sudo exo-desktop-item-edit -c -t Application /usr/share/applications/gopenvpn.desktop
    
    
    • Easy, now I can start the app. And IT WORKS....
    • Let me just right click and add my openvpn conf...
    • WTF? Right click off. Right click again.

    • Ok, seems to be working. Now to connect...

    • WTF? Couldn't they have equalized these godawful ugly images? I can't live with this wiggly shit, it'll drive me insane
    • <google, google>
    • Look, on their site they say they have fixed images! ... Oh. These are the same crap.
    • <google, google ... searh through forum archives>
    • Download archive from an obscure forum post with alternate images
    • Figure out where to copy them
    • Edit one of the icons so it fits your theme
    • Success! Well sort of. That yellow is ugly. But whatever.

    And that's how you install openvpn tray icon to your Debian XFCE linux.


  • BINNED

    @cartman82 said:

    It works, but only allows one connection at a time

    Huh. I never even tried multiple ones, didn't need them... Is that a problem with the tray applet of NetworkManager itself?



  • @Onyx said:

    Huh. I never even tried multiple ones, didn't need them... Is that a problem with the tray applet of NetworkManager itself?

    Have no idea. This post is actually a synthesis of a long process of getting this shit to work on multiple iterations of my Debian XFCE. Network manager was an attempt from my last Debian (7.0), I didn't even try it this time around (and I was just setting it up on my new Debian, thus the inspiration for this rant).

    All I remember is that when you click the second VPN connection, it disconnects the first. Sometimes that's what you want (networks overlap and all), but if your company has multiple networks that are set up so not to interfere with each other, you're out of luck.


  • BINNED

    onyx@jarvis:~$ nmcli connection up conn1
    VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/9)
    onyx@jarvis:~$ sudo ifconfig ppp0
    ppp0      Link encap:Point-to-Point Protocol  
              inet addr:192.168.0.37  P-t-P:192.168.0.33  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
              RX packets:13 errors:0 dropped:0 overruns:0 frame:0
              TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:3 
              RX bytes:494 (494.0 B)  TX bytes:98 (98.0 B)
    
    onyx@jarvis:~$ nmcli connection up conn2
    Error: Connection activation failed: Creating object for path '/org/freedesktop/NetworkManager/ActiveConnection/11' failed in libnm-glib.
    onyx@jarvis:~$ sudo ifconfig ppp0
    ppp0: error fetching interface information: Device not found
    

    Well sunnova bitch!



  • Well, we only need to wait until some of the guys behind System.d needs this and they'll rewrite the whole thing.


  • BINNED

    @Eldelshell said:

    Well, we only need to wait until some of the guys behind System.d needs this and they'll rewrite the whole thing.

    I saw network configuration on Arch... I think they already did, at least partially.



  • Those guys will end'up rewritting the kernel or replacing it with Hurd.



  • @Onyx said:

    Huh. I never even tried multiple ones, didn't need them... Is that a problem with the tray applet of NetworkManager itself?

    Oh hey look! The Linux answer, "you don't need that!"

    Where's that linux trademarks or whatever site, is that still up? Looks like no, damn.

    @Eldelshell said:

    Well, we only need to wait until some of the guys behind System.d needs this and they'll rewrite the whole thing.

    They could hardly make it worse.


  • BINNED

    @blakeyrat said:

    Oh hey look! The Linux answer, "you don't need that!"

    I would like to inform your shoulder aliens that they have misread and misinterpreted my post. I have only stated that I never needed that, not that other people don't. I accept and appreciate that other people are different to me and have different needs, outlooks and desires. I did not claim they should all bow down to my will and STFU.

    Further, I have conducted a test right after that which concluded that yes, it's a limitation. To which my response was:

    @Onyx said:

    Well sunnova bitch!

    Is that phrase now used to express approval? I need to know, English is my second language and I do tend to misuse it at times. Any corrections to my use of that phrase are welcome.



  • Onyx: "Let me just quietly say something not totally negative about Linux and be on my w-"
    Blakey: "WHAT WAS THAT!?"



  • Pfft. His own fault for thinking I'd read further than the first sentence, or that I'd somehow know what this gibberish means:

    onyx@jarvis:~$ nmcli connection up conn1
    VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/9)
    onyx@jarvis:~$ sudo ifconfig ppp0
    ppp0 Link encap:Point-to-Point Protocol
    inet addr:192.168.0.37 P-t-P:192.168.0.33 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
    RX packets:13 errors:0 dropped:0 overruns:0 frame:0
    TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:494 (494.0 B) TX bytes:98 (98.0 B)

    onyx@jarvis:~$ nmcli connection up conn2
    Error: Connection activation failed: Creating object for path '/org/freedesktop/NetworkManager/ActiveConnection/11' failed in libnm-glib.
    onyx@jarvis:~$ sudo ifconfig ppp0
    ppp0: error fetching interface information: Device not found

    Congratulations, look at all those word-like entities that presumably have some meaning to somebody somewhere I guess!


  • ♿ (Parody)

    @cartman82 said:

    and need to connect to multiple openvpn networks my company hosts.

    Like @Onyx, I've never had to do anything like this. In fact, my company's VPN (NB: not openvpn) expressly disallows this sort thing. They want you connected to them and them only, which makes a lot of sense to me from a network security POV.

    So...when you're connected to multiple things like this:

    1. Why are you doing this? This sort of thing makes sense to me for, say, something sitting on the DMZ. But that doesn't sound like what's going on here.
    2. How does it work to access something via one VPN vs another?


  • See and now Boomzilla's just doing it on purpose.


  • ♿ (Parody)

    @blakeyrat said:

    See and now Boomzilla's just doing it on purpose.

    Eh, what am I doing? If I wanted to troll you, I'd go to some place you were talking about your games and make faux ignorant comments like the stuff you've posted here. There was zero trolling content in my first post.

    BRB, my Win7 machine just BSODed.



  • @boomzilla said:

    So...when you're connected to multiple things like this:

    Why are you doing this? This sort of thing makes sense to me for, say, something sitting on the DMZ. But that doesn't sound like what's going on here.
    How does it work to access something via one VPN vs another?

    We have a VPN inside office. Remote server has its own VPN. Other company we are cooperating with has their own.

    Each VPN just grabs a bunch of local IP-s and map them to a remote network.

    In my case, one VPN is on 10.10.10.* subnet, the other on 192.168.10.* or something. So they are guaranteed not to overlap.


  • BINNED

    @blakeyrat said:

    His own fault for thinking I'd read further than the first sentence

    I'm sorry, I erringly assumed I can hold you to your own standards.

    @blakeyrat said:

    or that I'd somehow know what this gibberish means

    No, I expected anyone interested in genuine discussion who does not understand what that means to ask about it.

    @blakeyrat said:

    Congratulations, look at all those word-like entities that presumably have some meaning to somebody somewhere I guess!

    I count at least 4 people, unless they hit like on my post just because I'm that charming.


  • ♿ (Parody)

    @Onyx said:

    I count at least 4 people, unless they hit like on my post just because I'm that charming.

    WELLKNOWNFACT: only bots Like posts. You've been LIED TO.


  • Discourse touched me in a no-no place

    @boomzilla said:

    How does it work to access something via one VPN vs another?

    Via IP ranges. For example:

    192.168.0.0/20 -> VPN 1
    192.168.16.0/20 -> VPN 2
    192.168.32.0/20 -> VPN 3
    Anything else -> Default connection

    Concrete example, my home laptop VPN'd to work:

    [root@sofa ~]# ip route
    default via 192.168.0.1 dev wlan0 
    10.0.0.0/16 dev tun0  scope link 
    10.1.0.0/16 dev tun0  scope link 
    10.5.0.0/16 dev tun0  scope link 
    10.10.0.0/16 dev tun0  scope link 
    10.18.0.0/16 dev tun0  scope link 
    10.22.0.0/16 dev tun0  scope link 
    10.36.0.0/16 dev tun0  scope link 
    10.58.0.0/16 dev tun0  scope link 
    10.59.0.0/16 dev tun0  scope link 
    10.100.0.0/16 dev tun0  scope link 
    10.120.0.0/16 dev tun0  scope link 
    10.121.0.0/16 dev tun0  scope link 
    10.122.0.0/16 dev tun0  scope link 
    10.125.0.0/16 dev tun0  scope link 
    10.126.0.0/16 dev tun0  scope link 
    10.161.0.0/24 dev tun0  scope link 
    10.238.0.0/16 dev tun0  scope link 
    10.255.0.0/16 dev tun0  scope link 
    <public office IP address> via 192.168.0.1 dev wlan0  src 192.168.0.3 
    145.15.244.0/25 dev tun0  scope link 
    169.254.0.0/16 dev wlan0  scope link  metric 1003 
    172.16.0.0/16 dev tun0  scope link 
    172.23.0.0/16 dev tun0  scope link 
    172.23.5.0/24 dev tun0  scope link 
    172.30.0.0/16 dev tun0  scope link 
    172.32.1.0/24 dev tun0  scope link 
    192.168.0.0/24 dev wlan0  proto kernel  scope link  src 192.168.0.3 
    192.168.0.0/16 dev tun0  scope link 
    [root@sofa ~]# 
    

    wlan0 is my home internet connection, tun0 is the VPN.

    Adding another VPN would add further rules and another tun device.


  • ♿ (Parody)

    @cartman82 said:

    In my case, one VPN is on 10.10.10.* subnet, the other on 192.168.10.* or something. So they are guaranteed not to overlap.

    Hmm...interesting. Thanks.



  • Generally multiple VPN's are not a good idea, it really violates the concept of PRIVATE with respect to the endpoint (though the transmittal over the public wire is still private). This is why many VPN clients prevent it, and a few of the more secure Servers also detect it (and force a disconnect).

    That being said, there are use-cases that are handy....just remember it is similar to having multiple NIC's on your computer, plugging one into the corporate network and another into some external network... most likely to be a violation of multiple security practices....



  • Hey, @tar....

    @riking said:

    That sounds on about the same level, to me, as shipping a Makefile with -Wall -Werror included in the default build.

    @tar said:

    Are you implying that -Wall -Werror is going to break on properly-written portable code?

    @cartman82 said:

    Change AM_INIT_AUTOMAKE([foreign -Wall -Werror]) to AM_INIT_AUTOMAKE([foreign -Wnone])

    You were saying?



  • WHAT WAS I SAYING?!?!?

    @tar said:

    Are you implying that -Wall -Werror is going to break on properly-written portable code?

    @tar said:

    properly-written portable

    Oh, right....



  • Oops, forgot to write it down...

    My point is that "properly-written portable code", in the sense that it will never trigger any warnings on any compiler you ever compile it with, is so low in quantity as to be insignificant.



  • I'm not 100% convinced of that—my C++ code compiles with -Wall -Werror -Wextra on Windows, Linux or BSD with pretty much any gcc from 4.6 onwards, and a reasonably modern clang (clang is actually much stricter on template code than gcc is—if your template code compiles on clang, it'll compile on gcc...)

    Noew, I do have a few -Wno- set flags for things such as "unused function parameter" (and I do negotiate with any particular compiler to decide precisely which -Wno- flags it understands from the set that I test against). And I don't use -Werror with third party code I depend on (say, SDL, or SQLite). But you can write things like an audio plugin network or an OpenGL renderer under those conditions. It's mildly annoying to have to maintain, but it's doable


  • Discourse touched me in a no-no place

    @tar said:

    I'm not 100% convinced of that—my C++ code compiles with -Wall -Werror -Wextra on Windows, Linux or BSD with pretty much any gcc from 4.6 onwards, and a reasonably modern clang (clang is actually much stricter on template code than gcc is—if your template code compiles on clang, it'll compile on gcc...)

    That's fine until you have software that uses a deprecated OS API (and where what it is deprecated in favour of totally lacks the functionality you're using, of course; some parts of OSX are exactly like that when you want to do advanced virtualisation of library loading). At that point, you're stuck with having warnings. The best you can usually do in that case is to corral the errors into one file that you build without -Werror and turn the flag on for everything else.



  • @cartman82 said:

    > 2. Build it

    $ cd gopenvpn
    $ autoreconf -vi

    :facepalm:

    That’s a major pet peeve of mine: Projects that use automake, but whose source distribution doesn’t include the generated configure script, so you have to manually call autogen.sh, autoreconf or other mystic incantation.


    Filed under: Want clear messages about missing libraries? Ha! Have fun with `AM_CHECK_WHATEVER is not defined`

  • Discourse touched me in a no-no place

    @VinDuv said:

    That’s a major pet peeve of mine: Projects that use automake, but whose source distribution doesn’t include the generated configure script, so you have to manually call autogen.sh, autoreconf or other mystic incantation.

    We keep that stuff committed in our repo. Yes, that's a bit wrong. No, it's not a catastrophic problem in practice; we don't change that part of the build system very often. 😄


  • :belt_onion:

    I use IntelliJ for pretty much everything I do, and I like to make sure that the little bar on the side is always green - That means I'll go through after I've written code and clean it up as much as possible, then annotate out anything that I can't clean (With comments to indicate why, of course).


  • Java Dev

    IMO, -Werror is an important tool, but it belongs in a form of automatic test, not in your default build, especially if you're shipping source.

    I also recomment an automatic test to verify your debug build(s) and -O0 function correctly. All of those should pass with -Werror.



  • @PleegWat said:

    -Werror is an important tool, but it belongs in a form of automatic test, not in your default build, especially if you're shipping source.

    Yeah, causing downstream maintainers to tear their hair out over a FTBFS due to a compiler version change that introduced some new, possibly-spurious warning is a bad idea.


  • Discourse touched me in a no-no place

    @dkf said:

    At that point, you're stuck with having warnings.

    Doesn't GCC have a #pragma or something to suppress a particular warning/error for a range or compilation unit?



  • You can do stuff like this (pulled out of some macros, which is why it's using _Pragma...):

        _Pragma("GCC diagnostic push")
        _Pragma("GCC diagnostic ignored \"-Winvalid-offsetof\"")
    
        // warny stuff here...
    
        _Pragma("GCC diagnostic pop") 
    

  • Discourse touched me in a no-no place

    @tar said:

    You can do stuff like this (pulled out of some macros, which is why it's using _Pragma...):

        _Pragma("GCC diagnostic push")
        _Pragma("GCC diagnostic ignored \"-Winvalid-offsetof\"")
    
        // warny stuff here...
    
        _Pragma("GCC diagnostic pop") 
    ```</blockquote>
    
    [Discoquoting rant goes <del>here</del><ins>everywhere</ins>]
    
    Dang, that's ugly.  VC++ lets you do:
    

    #pragma warning(push)
    #pragma warning(disable 4700) // you have to know what warning 4700 is, of course
    // code that generates 4700 here
    #pragma warning(pop)



  • It'd probably be more like this if you used #pragma:

    #pragma GCC diagnostic ignored "-Winvalid-offsetof"
    

    I am not sufficiently motivated to test it with a compiler though...


  • Discourse touched me in a no-no place

    @tar said:

    I am not sufficiently motivated to test it with a compiler though...

    That's still verbose.



  • I guess I don't really have as strong an opinion either way around how different compilers implement non-standard features...


  • Discourse touched me in a no-no place

    @tar said:

    I guess I don't really have as strong an opinion either way around how different compilers implement non-standard features...

    Are you agnostic on begin vs. {?



  • Pascal is just the worst.



  • OK, now you've actually made me think about it, I think the GCC #pragma has a slight edge on the CL #pragma because you don't have to go on the internet to look up the warning code to see what's being disabled. So that's an advantage which mitigates it being longer...



  • @tar said:

    OK, now you've actually made me think about it, I think the GCC #pragma has a slight edge on the CL #pragma because you don't have to go on the internet to look up the warning code to see what's being disabled. So that's an advantage which mitigates it being longer...

    Except you have to go look up what that -W string is when it happens[1]. In VC, I see the warning number when compiling, copy/paste, done. (I usually copy/paste the warning text too so I don't have to remember.)

    [1] Unless your warning generates that info too. Way too much effort to turn on my mac to see...

    @FrostCat said:

    Are you agnostic on begin vs. {?

    No one is allowed to question the one-true-style! {!



  • @dcon said:

    Except you have to go look up what that -W string is when it happens[1]. In VC, I see the warning number when compiling, copy/paste, done. (I usually copy/paste the warning text too so I don't have to remember.)

    gcc --help -v 2>&1 | grep \-W (Which is admittelly slightly fiddlier than it needs to be because gcc dumps it's help to stderr...)



  • @tar said:

    gcc --help -v 2>&1 | grep -W (Which is admittelly slightly fiddlier than it needs to be because gcc dumps it's help to stderr...)

    VC for the win.



  • CL doesn't even have documentation built in for its warnings. What are you going to do if you're trying to fix your code on a plane, where you don't have internet, eh?



  • The process described is very similar to building Boost with GCC on Windows.


  • BINNED

    @tar said:

    What are you going to do if you're trying to fix your code on a plane, where you don't have internet, eh?

    Get a life?

    Yeah, yeah, look who's talking etc.



  • "I need to be able to work on a plane" is often advanced as a reason that you need to use git for source control.

    Of course, the obvious response to this is "no you don't, that's stupid. You're stupid, and your source control is stupid also..."


  • BINNED

    @tar said:

    "I need to be able to work on a plane" is often advanced as a reason that you are a git

    Yes.


  • Discourse touched me in a no-no place

    @tar said:

    OK, now you've actually made me think about it, I think the GCC #pragma has a slight edge on the CL #pragma because you don't have to go on the internet to look up the warning code to see what's being disabled. So that's an advantage which mitigates it being longer...

    TDEMSYR. You'd only be turning off a warning because you already had it, so you'd already know what the number was.


  • Discourse touched me in a no-no place

    @tar said:

    What are you going to do if you're trying to fix your code on a plane, where you don't have internet, eh?

    If I were foolish enough to do that I'd've installed the offline help.

    The one-line messages that come with the number are frequently enough to go on. For example, 4700 above is, IIRC, "use of uninitialized variable" which I happen to remember because it was listed on the MSDN page describing the #pragma syntax.



  • @FrostCat said:

    TDEMSYR. You'd only be turning off a warning because you already had it, so you'd already know what the number was.

    That's right, because maintenance isn't a thing. Any code I would ever look at would have been written by me. :rolleyes:


Log in to reply